Comments on Security Scene: Introducing Constant Guard

Comment by James Fisher

2009-10-08T18:23:50Z

Is this going to affect both the residential side and business side? As a business class customer, I have taken the additional security precautions neccessary and dont appreciate the overhead potential that this could create for other various types of traffic such as VoIP and streaming video (which is very latency sensitive)? Also what is the false positive rate?

Comment by Brandon

2009-10-08T18:59:05Z

Very good Comcast! This is a great new feature you are rolling out and it should both help a lot of people as well as save you some headaches by getting all of that infected bot and spam traffic off of your network. My question though is will this be triggered as the user just browses the web, or will the user have to visit a Comcast controlled site, such as comcast.net before they see the alert? If a user has to visit a Comcast site to see the alert, it's not as good as if you can just push this alert to the user regardless, as many users (myself included) never visit Comcast controlled websites or do so very rarely.

Also, I have to wonder what else you may do with this technology. Will you start alerting users to other things as well, such as high bandwidth usage, new services available, service outages, etc? While using this banner technology for stopping malware is a good thing, I can think of quite a few ways off the top of my head that something like this could be abused, whether it be for advertising or something else. Are there any other plans right now besides using this to stop malware? If so, I would be curious to hear them.

Comment by Andrew Daviel

2009-10-08T23:28:57Z

Excellent! I am sure there is a significant body of users who would get their infections fixed if only someone would tell them. Between privacy considerations, and the cost of human intervention, it hasn't been economically feasible.

Comment by Johnny Doeboy

2009-10-09T05:40:48Z

Sounds good, but I'm concerned over the "Walled Garden" approach. I hope this is only used in extreme cases, if at all. I like the web browser notification solution the best.

Comment by Bryan Price

2009-10-09T18:29:29Z

This isn't truly related to post on hand, and a little off-topic, BUT!

I am beta testing browsers, specifically of Firefox Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) - Build ID: 20090824101458. It might behoove you and your sites to not be so picky on the version. Especially when the redirection goes to a 404 page. I hate to think of what happens when Firefox puts out another fix/version.

Comment by Fidelisoris

2009-10-09T18:46:03Z

As a Comcast subscriber, I DO NOT WANT THIS. I want to fully choose what is monitoring and protecting me, NOT big brother ISP.

Comment by goosmurf

2009-10-10T00:48:21Z

What mitigation steps have been thought of in relation to malicious attackers forging the Comcast in-page notifications?

It seems an ideal vector for phishing attacks once end users have become familiar with such notices.

Comment by Greg

2009-10-12T01:06:13Z

Some questions I have about this:

How do users know that the warning is really from Comcast and not a malicious impersonation?

How do users know that a "warning" (a malicious impersonation they assume is real) is not from Comcast?

There are innumerable malicious websites on the internet that already display graphics that appear to be anti-virus programs telling you your computer is infected, only to get you to download their malicious software. Aren't those criminals going to take advantage your users trust and supply warnings identical to yours, except that it points them to malicious code? Especially when you're the largest residential ISP in the U.S.?

How are users that aren't knowledgeable enough to prevent themselves from getting infected in the first place going to know how to avoid the malicious impersonations of your "Constant Guard" service? Those are the people that need this service the most, but are most likely to be fooled by impersonations.

You could attempt to filter out impersonations with your proxies, but that can easily be worked around (https, obfuscate/encrypt it and use javascript to decode it in the browser, use images, etc). There have been browser vulnerabilities in the past that allow the address bar to display a different URL than the site you're actually visiting, and there's no guarantee similar vulnerabilities won't occur in the future.

Even if you went as far as allowing the user to setup an account for this, letting them choosing a special image and keyword to be displayed to them when the warning appears, similar to modern bank website logins, your warnings will be displayed on potentially malicious websites, which may have access to these things via javascript, and may upload that information to the malicious to store for later use.

Now I'm no security professional (though I do have a large interest in computer/network/info security and have been studying it a little for about 5 years), yet it seems as though there are numerous flaws to this system. This isn't just a notification system. This is a *security* notification system. Yet it seems that it is wide open to abuse by criminals. I wonder if you will unintentionally increase users' trust of malicious, "your computer may be infected", warnings, leading to more infected machines. In fact, as far as the client end is concerned, it appears that you are copying the techniques of criminals to inform them of their possible infections.

I glanced at the IETF draft for Service Notifications, and then only mention of "security" is that security considerations will be added in a future update of the draft (http://tools.ietf.org/html/draft-livingood-web-notification-00#section-11). Have any security experts been consulted while designing this system, or was security just an after-thought? I sure hope it wasn't an after-thought, since "Constant Guard" is in fact dealing directly with security issues. With the information I've seen about this so far, it appears it was initially designed with no thought of security whatsoever. I hope I'm wrong, and that you have already solved these problems (and any others I forgot to mention or haven't yet thought of).

My questions about the security of this system aside, I would much prefer this system to be at least opt-out, if not opt-in. I personally have no use for this system. At home I keep my machines and network locked down pretty well: run a linux router, use multiple linux machines, rarely use windows (though there is one windows machine on my network, with anti-virus, which I keep a careful eye on), watch traffic/connections, check logs, etc. I know it's not impossible for one of my machines to be compromised, which is why I'm always watching things. I certainly wouldn't trust this service enough to watch my machines/network any less than I currently do.

Comment by Jay Opperman

2009-10-12T20:48:37Z

At this time the Constant Guard Service Notification is only available to residential customers. That isn�t to say commercial customers are not at the same risk of being infected with Bots and we will look for solutions to assist our commercial customers in style complimentary to their needs.

Comment by Jay Opperman

2009-10-12T20:49:24Z

The Service Notice is not tied to visiting Comcast sites and may be received by the customer when visiting non Comcast sites. Our objective is to use the most effective means to alert our customers to service related issues such as infected or botted PCs and our initial results over the past few days indicated the service notice is well received and is successful in offering helpful instruction. Assuming this success continues, we will look to use the Service Notice to communication other important service related messages.

Comment by Jay Opperman

2009-10-12T20:53:01Z

We tend to agree as our tests reveal the walled garden can be very disruptive to internet applications and isn�t the best vehicle for delivering an important service message. That being said, the walled garden can be useful when applied in the appropriate situations.

Comment by Jay Opperman

2009-10-12T20:54:44Z

I'm going to paste the relevant section from our FAQs http://security.comcast.net/constantguard/faqs/notification.html:

To help you verify the Service Notice is from Comcast, you should receive an email confirmation of this Service Notice to your Primary Comcast.net email account. Please click here to sign into your Comcast.net email.

The email will come from "csa-noreply@comcast.net" and will have a subject line of "Constant Guard Security Notice".
Noted below is a sample of the email sent to your Primary Comcast.net email account.

From: csa-noreply@comcast.net
Subject: Constant Guard Security Notice
Customer Security Assurance Notice
Dear Comcast Customer:
Constant Guard has identified that one or more of your computers may be infected by a computer virus known as a bot.
A bot is a form of virus that is used to gain control over a computer, typically without the owner�s knowledge. Online criminals can use bots to collect personal and private data such as Social Security numbers, bank account information, and/or credit card numbers. This can also lead to identity theft.
We recommend that you take a few minutes to visit the Anti-Virus Center for instructions to assist you in removing the virus from your computer. To help stay protected, we strongly advise you to perform regular Operating System and anti-virus software updates.
Comcast also makes extensive information available about the latest security alerts on the Comcast.net Web site. To view this information we urge customers to visit www.comcast.net/security .

Thank you for choosing Comcast!

Sincerely,
Customer Security Assurance
____________________________________________________

Comment by Remote Computer Support

2009-10-22T01:42:27Z

That would definitely be a cool added feature to enhance customer's PC Security. Knowing when a computer is infected with viruses/spyware is critical because it enables the customer to determine the best course of action at the most appropriate time. Additionally, customers do need a proactive remote computer repair service to help overcome the sudden outburst of malicious codes being increasingly complex with virus infections involving more system elements than ever before.

Comment by Anthony R Gibson

2009-11-05T04:50:53Z

Well I have Been With Comcast Since September 13 2008 i Know You All Work Very Hard To Provide Service For Your Customer ImVery Happy With My Triple Play Bundle With HD Services (No Problems So Far) Things Happen For A Reson I Understand Keep Up The Good Work Okay One More Thing In The Beginning Had Decided To Switch To AT&T (Trouble With Services) But Since Comcast Was Working Very Hard On Improving My Services Now Over A Year Later I Decided Against AT&T & Decided To Stay With Comcast & I Have Been Happy Ever Since I Have Been Telling My Friends Every Chance I Get To Go With Comcast They Will Be Just As Happy As I Am In The Long Run You All Must Be Doing Pretty Good When I Go To The Comcast Payment Center It Is Always Crowded Must Be Something About Amazing Services I Have A good Idea For You All Start A Comcast Celluar Serbvice Think This Over All Those Cell Phone In The World More Money For Comcast Okay E-Mail Reply Back To Me Like To Hear What You All Think About My Messages God Bless You All Anthony R Gibson

Comment by robert954

2010-03-15T13:06:00Z

Hey thanks for this software.I like ti own it to aware hackers.You are providing such a good service to avoid bots, viruses, spam and other serious threats.........

Thanks,
IT Support Los Angeles